[Read!] Malware/Phishing Attempt

vtcnc

Admin
Staff member
H-M Lifetime Diamond Member
Joined
Jun 29, 2014
Messages
4,174
The H-M staff received a malware/phishing attempt this morning - sent to the support email address. Nothing has been compromised but thought I would share a screen shot of what it looks like because the attempt has been made through an inactive members email account. My intention here is to provide a bit of a public service announcement to members who either haven't seen a malware/phishing attempt land in their inbox or don't know what to do if they see one.

First, here is what it looks like in my Gmail inbox:

phishing-malware attempt.png


I redacted the password and member credentials for privacy reasons. I've highlighted three red flags in the emails by way of the "red arrows":

a) an unrecognizable or unfamiliar email address,
b) unfiltered or unprotected credentials, and
c) an attachment.

Let's break these red flags down one at a time:

a) If you do not recognize the email address, the sender name or the business name in the address line - it is strongly recommended that you delete the email.

b) Unfiltered or unprotected credentials. STANDARD practice for legitimate businesses, institutions and government agencies is to NEVER share your password. Passwords are so well protected nowadays that is nearly impossible for anyone to know what your password is. Even Admins at this site do not know what your password is, I couldn't tell you if you asked. I can send you a password reset, and I can enter a new password for you upon your request but I will tell you to change it immediately upon logging in and I will never know what it is. It would be impossible for any of us here to send you an email with your password in it. If you see a password and username in an email sent to you with directions to click on something - this is fair warning that you are about to step off the brink and become a victim. DON'T trust an email that sends you your password, or worse, somebody else's password and asks you to click on or download something.

c) Attachments. My rule of thumb is - unless you are expecting an attachment from somebody you know, an attachment from an unknown sender is probably malicious. While attachments are usually the last thing you will see when inspecting an email like that above, it is usually the first thing I am looking for to know whether the sender is to be trusted or not. Attachments are trojan horses - don't be a victim.

If this isn't clear, or you have additional insight or advice, please reply to this thread. I will post a link in the Site Issues forum pointing back to this thread so we have one source of information on this particular issue available to members.

Bryan
 
Even if you know the person who sent the email with attachment, unless he had earlier said that he was sending you an attachment, I would recommend sending him an email (and not as a reply to the one that you just received, either) asking whether he had just sent you an email with attachment.
 
One other comment on Attachments - if the file size of the attachment is under about 400 bytes, it is due to the mail manager that the sender uses and not really an attachment that the sender attached for you to open.
 
Back
Top